Initial commit
This commit is contained in:
Paul Jenkins
82
03-procedures/management-review-procedure.md
Normal file
82
03-procedures/management-review-procedure.md
Normal file
@@ -0,0 +1,82 @@
|
||||
Title: Management Review Procedure
|
||||
Document ID: [PROC-MGMT-REVIEW-001]
|
||||
Version: 0.1 Draft
|
||||
Status: Draft
|
||||
Owner: CISO (Paul Jenkins)
|
||||
Approver: CISO (Paul Jenkins)
|
||||
Classification: Internal
|
||||
Effective date: [DD Month YYYY]
|
||||
Review date: [DD Month YYYY]
|
||||
|
||||
# Management Review Procedure
|
||||
|
||||
## Purpose
|
||||
|
||||
This procedure defines how BlackDice should prepare for, conduct, record, and follow up formal management reviews of the ISMS.
|
||||
|
||||
## Scope
|
||||
|
||||
This procedure applies to formal management review activity for the ISMS, including review inputs, decisions, actions, and evidence of oversight.
|
||||
|
||||
## Trigger / When Used
|
||||
|
||||
Use this procedure:
|
||||
|
||||
- at planned management review intervals
|
||||
- when significant change, incident, or audit outcome requires management review
|
||||
- when strategic security decisions require formal oversight and recording
|
||||
|
||||
## Procedure Steps
|
||||
|
||||
1. Define the review date, scope, participants, and agenda.
|
||||
2. Gather required inputs, including status of objectives, risks, incidents, audit results, corrective actions, exceptions, supplier issues, and improvement opportunities.
|
||||
3. Prepare the review pack or meeting material and circulate it to participants in advance where appropriate.
|
||||
4. Conduct the review and document discussions, decisions, approvals, and required actions.
|
||||
5. Confirm whether the ISMS remains suitable, adequate, and effective, and identify any required changes.
|
||||
6. Assign owners and due dates for resulting decisions or actions.
|
||||
7. Record the review outcome in the approved format and retain supporting evidence.
|
||||
8. Track resulting actions through to closure and report status at the next review where necessary.
|
||||
|
||||
## Inputs
|
||||
|
||||
- objectives and performance information
|
||||
- risk and exception status
|
||||
- incident, audit, and corrective action summaries
|
||||
- supplier and compliance issues where relevant
|
||||
|
||||
## Outputs / Records
|
||||
|
||||
- management review minutes or record
|
||||
- decisions and action items
|
||||
- updated priorities or improvement actions
|
||||
- evidence of oversight
|
||||
|
||||
## Roles and Responsibilities
|
||||
|
||||
- [Role] must coordinate the review process and records.
|
||||
- Management participants must review the inputs and make informed decisions.
|
||||
- Action owners must complete assigned follow-up actions.
|
||||
|
||||
## Escalation / Exceptions
|
||||
|
||||
Escalate where:
|
||||
|
||||
- required inputs are incomplete
|
||||
- major risk or nonconformity requires urgent decision
|
||||
- assigned actions are not being progressed
|
||||
- management attendance or approval cannot be obtained
|
||||
|
||||
Exceptions to scheduled review timing must be documented and approved.
|
||||
|
||||
## Related Documents
|
||||
|
||||
- ISMS Manual
|
||||
- Information Security Objectives Template
|
||||
- Internal Audit Procedure
|
||||
- Management Review Minutes Template
|
||||
|
||||
## Version Control
|
||||
|
||||
| Version | Date | Description of Change | Author |
|
||||
| --- | --- | --- | --- |
|
||||
| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
|
||||
Reference in New Issue
Block a user